From c3f06417049e17a8d45ee5926c5043cb6c8aa9ef Mon Sep 17 00:00:00 2001 From: Tim Burke Date: Wed, 24 Feb 2016 16:56:55 -0800 Subject: Follow-up to patch 282363 * Improve some formatting * Be more explicit about how much will be revealed when * Rename redact_sensitive_tokens to redact_sensitive_headers, as it affects more than tokens. Change-Id: I02b375d914e9f0a210d038ecb31188d09a8ffce3 --- swiftclient/client.py | 19 ++++++++++++------- swiftclient/shell.py | 2 +- tests/unit/test_swiftclient.py | 2 +- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/swiftclient/client.py b/swiftclient/client.py index 9ebdef9..8375fed 100644 --- a/swiftclient/client.py +++ b/swiftclient/client.py @@ -72,13 +72,18 @@ if StrictVersion(requests.__version__) < StrictVersion('2.0.0'): logger = logging.getLogger("swiftclient") logger.addHandler(NullHandler()) -#: Default behaviour is to redact tokens, showing only the initial 16 chars. -#: To disable, set the value of 'redact_sensitive_tokens' to False. -#: When token redaction is enabled 'reveal_sensitive_prefix' configures the -#: maximum length of any sensitive token data sent to the logs (if the token -#: is less than 32 chars long then int(len(token)/2) chars will be logged, +#: Default behaviour is to redact header values known to contain secrets, +#: such as ``X-Auth-Key`` and ``X-Auth-Token``. Up to the first 16 chars +#: may be revealed. +#: +#: To disable, set the value of ``redact_sensitive_headers`` to ``False``. +#: +#: When header redaction is enabled, ``reveal_sensitive_prefix`` configures the +#: maximum length of any sensitive header data sent to the logs. If the header +#: is less than twice this length, only ``int(len(value)/2)`` chars will be +#: logged; if it is less than 15 chars long, even less will be logged. logger_settings = { - 'redact_sensitive_tokens': True, + 'redact_sensitive_headers': True, 'reveal_sensitive_prefix': 16 } #: A list of sensitive headers to redact in logs. Note that when extending this @@ -124,7 +129,7 @@ def scrub_headers(headers): (parse_header_string(key), parse_header_string(val)) for (key, val) in headers ] - if not logger_settings.get('redact_sensitive_tokens', True): + if not logger_settings.get('redact_sensitive_headers', True): return dict(headers) if logger_settings.get('reveal_sensitive_prefix', 16) < 0: logger_settings['reveal_sensitive_prefix'] = 16 diff --git a/swiftclient/shell.py b/swiftclient/shell.py index 02f49dd..15be20a 100755 --- a/swiftclient/shell.py +++ b/swiftclient/shell.py @@ -1108,7 +1108,7 @@ def parse_args(parser, args, enforce_requires=True): if options.debug: logging.basicConfig(level=logging.DEBUG) logging.getLogger('iso8601').setLevel(logging.WARNING) - client_logger_settings['redact_sensitive_tokens'] = False + client_logger_settings['redact_sensitive_headers'] = False elif options.info: logging.basicConfig(level=logging.INFO) diff --git a/tests/unit/test_swiftclient.py b/tests/unit/test_swiftclient.py index 77cf607..ae144e2 100644 --- a/tests/unit/test_swiftclient.py +++ b/tests/unit/test_swiftclient.py @@ -2233,7 +2233,7 @@ class TestLogging(MockHttpTest): unicode_token_value = (u'\u5929\u7a7a\u4e2d\u7684\u4e4c\u4e91' u'\u5929\u7a7a\u4e2d\u7684\u4e4c\u4e91' u'\u5929\u7a7a\u4e2d\u7684\u4e4c') - c.logger_settings['redact_sensitive_tokens'] = False + c.logger_settings['redact_sensitive_headers'] = False c.http_log( ['GET'], {'headers': { -- cgit v1.2.1